Apache Reverse Proxy: Difference between revisions

From Universal Devices, Inc. Wiki
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
Line 16: Line 16:
This example forces authentication - and injects the correct authorization header when presented to ISY. This means you can use different credentials for this site - or even multiple user accounts.
This example forces authentication - and injects the correct authorization header when presented to ISY. This means you can use different credentials for this site - or even multiple user accounts.


Make sure to set the Authorization header to be correct for your ISYs credentials.
Make sure to set the Authorization header to be correct for your ISYs credentials. This needs to be in the format 'username:password' and then base64 encoded. You can (probably) generate the needed header value with the command line:
<pre>
echo -n "user:password" | base64
</pre>
(replace user and password with your ISY username and password)


<pre>
<pre>

Revision as of 01:19, 3 July 2016

It is possible to configure Apache to perform a reverse proxy function to the ISY - including support for websockets. It's not completely useful - since the SOAP subscription used by the admin console and Mobilinc is not supported by Apache. This configuration works well with Agave - and allows a very speedy SSL connection to be achieved, once you add SSL to the virtual.

Apache needs to have the following modules enabled:

  • mod_proxy_wstunnel
  • mod_proxy
  • mod_proxy_http
  • mod_proxy_html
  • mod_headers

Please note: mod_proxy_wstunnel is only (officially) available for Apache 2.4. It has been backported to Apache 2.2 - but you'll have to compile it yourself. See this article for details on how to do this.

First, some assumptions.... You have a SSL virtualhost (lights.domain.com) that is going to serve as a proxy to your ISY (IP is 192.168.1.2) using HTTP. The directory on your server assigned is /var/www/lights. You can place your own pages in /var/www/lights (for instance, the websocket example). This example forces authentication - and injects the correct authorization header when presented to ISY. This means you can use different credentials for this site - or even multiple user accounts.

Make sure to set the Authorization header to be correct for your ISYs credentials. This needs to be in the format 'username:password' and then base64 encoded. You can (probably) generate the needed header value with the command line:

echo -n "user:password" | base64

(replace user and password with your ISY username and password)

<VirtualHost *:80>
  ServerAdmin webmaster@lights.domain.com
  DocumentRoot /var/www/html
  ProxyRequests Off
  ProxyPreserveHost On
  KeepAlive On
  KeepAliveTimeout 5000
  ProxyVia Off
  <Proxy *>
    AuthName "Authentication Required"
    AuthType Basic
    AuthUserFile /etc/htpasswd-isy
    require valid-user
    Order deny,allow
    Allow from all
  </Proxy>
  RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxx"
  ProxyPass "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4
  ProxyPass "/rest" "http://192.168.1.2/rest"
  ProxyPass "/services" "http://192.168.1.2/services"
  ProxyPass "/WEB" "http://192.168.1.2/WEB"
  ProxyPass "/USER" "http://192.168.1.2/USER"
  ProxyPassReverse "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4
  ProxyPassReverse "/rest" "http://192.168.1.2/rest"
  ProxyPassReverse "/services" "http://192.168.1.2/services"
  ProxyPassReverse "/WEB" "http://192.168.1.2/WEB"
  ProxyPassReverse "/USER" "http://192.168.1.2/USER"
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  ErrorLog ${APACHE_LOG_DIR}/error.log
</VirtualHost>

Create a .htpasswd-isy file:

htpasswd -c /etc/htpasswd-isy username

Set your proxy authentication password when prompted.

Place the following .htaccess file into /var/www/html (or wherever the web root directory is!):

AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/htpasswd-isy"
Require valid-user

This will proxy certain paths back to the ISY - with the exceptions of the REST endpoints, the /WEB and /USER paths (allowing UDajax and HAD to function, as well as custom web space on the ISY itself).

You should wrap this in SSL! Otherwise - you are sending password in plain text. This is beyond the scope of this article though.